Professional Documents
Culture Documents
Ecdsa Cert PDF
Ecdsa Cert PDF
Don Johnson and Alfred Menezes and Scott Vanstone
Certicom Research, Canada
Dept. of Combinatorics & Optimization, University of Waterloo, Canada
Emails: djohnson, amenezes, svanstone @certicom.com
Abstract
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve
analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999
as an ANSI standard, and was accepted in 2000 as IEEE and NIST
standards. It was also accepted in 1998 as an ISO standard, and is under
consideration for inclusion in some other ISO standards. Unlike the
ordinary discrete logarithm problem and the integer factorization problem,
no subexponential-time algorithm is known for the elliptic curve discrete
logarithm problem. For this reason, the strength-per-key-bit is substantially
greater in an algorithm that uses elliptic curves. This paper describes the
ANSI X9.62 ECDSA, and discusses related security, implementation, and
interoperability issues.
1 Introduction
The Digital Signature Algorithm (DSA) was specified in a U.S. Government Federal
Information Processing Standard (FIPS) called the Digital Signature Standard (DSS
[70]). Its security is based on the computational intractability of the discrete logarithm
problem (DLP) in prime-order subgroups of .
Elliptic curve cryptosystems (ECC) were invented by Neal Koblitz [49] and Victor
Miller [67] in 1985. They can be viewed as elliptic curve analogues of the older
discrete logarithm (DL) cryptosystems in which the subgroup of is replaced by
the group of points on an elliptic curve over a finite field. The mathematical basis for
the security of elliptic curve cryptosystems is the computational intractability of the
elliptic curve discrete logarithm problem (ECDLP).
Since the ECDLP appears to be significantly harder than the DLP, the strength-per-
key-bit is substantially greater in elliptic curve systems than in conventional discrete
logarithm systems. Thus, smaller parameters can be used in ECC than with DL sys-
tems but with equivalent levels of security. The advantages that can be gained from
smaller parameters include speed (faster computations) and smaller keys and certifi-
cates. These advantages are especially important in environments where processing
power, storage space, bandwidth, or power consumption is constrained.
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue
of the DSA. ECDSA was first proposed in 1992 by Scott Vanstone [108] in response
to NIST’s (National Institute of Standards and Technology) request for public com-
ments on their first proposal for DSS. It was accepted in 1998 as an ISO (Inter-
national Standards Organization) standard (ISO 14888-3), accepted in 1999 as an
ANSI (American National Standards Institute) standard (ANSI X9.62), and accepted
in 2000 as an IEEE (Institute of Electrical and Electronics Engineers) standard (IEEE
1363-2000) and a FIPS standard (FIPS 186-2). It is also under consideration for in-
clusion in some other ISO standards. In this paper, we describe the ANSI X9.62
ECDSA, present rationale for some of the design decisions, and discuss related se-
curity, implementation, and interoperability issues.
2 Digital Signature Schemes
2.1 Background
Digital signature schemes are designed to provide the digital counterpart to hand-
written signatures (and more). A digital signature is a number dependent on some
secret known only to the signer (the signer’s private key), and, additionally, on the
contents of the message being signed. Signatures must be verifiable — if a dispute
arises as to whether an entity signed a document, an unbiased third party should be
able to resolve the matter equitably, without requiring access to the signer’s private
key. Disputes may arise when a signer tries to repudiate a signature it did create, or
when a forger makes a fraudulent claim.
This paper is concerned with asymmetric digital signatures schemes with appendix.
“Asymmetric” means that each entity selects a key pair consisting of a private key
and a related public key. The entity maintains the secrecy of the private key which it
uses for signing messages, and makes authentic copies of its public key available to
other entities which use it to verify signatures. “Appendix” means that a cryptographic
hash function is used to create a message digest of the message, and the signing
transformation is applied to the message digest rather than to the message itself.
A PPLICATIONS. Digital signature schemes can be used to provide the following ba-
sic cryptographic services: data integrity (the assurance that data has not been al-
tered by unauthorized or unknown means), data origin authentication (the assur-
ance that the source of data is as claimed), and non-repudiation (the assurance that
an entity cannot deny previous actions or commitments). Digital signature schemes
are commonly used as primitives in cryptographic protocols that provide other ser-
vices including entity authentication (e.g., FIPS 196 [72], ISO/IEC 9798-3 [40], and
Blake-Wilson and Menezes [10]), authenticated key transport (e.g., Blake-Wilson
and Menezes [10], ANSI X9.63 [4], and ISO/IEC 11770-3 [41]), and authenticated
key agreement (e.g., ISO/IEC 11770-3 [41], Diffie, van Oorschot and Wiener [21],
and Bellare, Canetti and Krawczyk [8]).
C LASSIFICATION. The digital signature schemes in use today can be classified ac-
cording to the hard underlying mathematical problem which provides the basis for
their security:
1. Integer Factorization (IF) schemes, which base their security on the intractability
of the integer factorization problem. Examples of these include the RSA [85] and
Rabin [84] signature schemes.
2. Discrete Logarithm (DL) schemes, which base their security on the intractability
of the (ordinary) discrete logarithm problem in a finite field. Examples of these
include the ElGamal [23], Schnorr [90], DSA [70], and Nyberg-Rueppel [78, 79]
signature schemes.
3. Elliptic Curve (EC) schemes, which base their security on the intractability of the
elliptic curve discrete logarithm problem.
1. Select a 160-bit prime and a 1024-bit prime with the property that .
2. (Select a generator of the unique cyclic group of order in .)
"! $#&%('*)+-,
Select an element and compute . (Repeat until /0 . .)
3. Domain parameters are , and .
DSA K EY PAIR G ENERATION. Each entity in the domain with domain parameters
1
32452(-6 does the following:
U
1
DSA S IGNATURE V ERIFICATION To verify ’s signature HV2TOV6 on A , W obtains authen-
1
tic copies of ’s domain parameters 32452(-6 and public key = and does the following:
1. Verify that H and O are1 integers in the interval XY"249:Z .
2. Compute MN SHA-1 )+-A;
, 6 .
!
3. Compute [O )+-, . )+-,
Compute \ M][ \ ^H"[
4. )+-, and )+-, .
5. Compute EF>@_a`=@_Sb and c^E .
6. Accept the signature if and only if c^H .
S ECURITY A NALYSIS. Since H and O are each integers less than , DSA signatures
are 320 bits in size. The security of the DSA relies on two distinct but related discrete
logarithm problems. One is the discrete logarithm problem in where the number
field sieve algorithm (see Gordon [35] and Schirokauer [89]) applies; this algorithm
has a subexponential running time. More precisely, the expected running time of the
algorithm is
dfehgji-kle 1nm 1 1nrts $%(v 1nrtswrts 4%(vhxux 1
Ppo q66 u6 6 2 q6
mzy r&s*
where "{}|a~a , and denotes the natural logarithm function. If is a 1024-
bit prime, then the expression (1) represents an infeasible amount of computation;
thus the DSA using a 1024-bit prime is currently not vulnerable to this attack. The
second discrete logarithm problem works to the1 ) base in the subgroup of order in
+5,
: given , , , and = , find 7 such that =>@? 6 . For large (e.g., 1024-bits),
the best algorithm known for this problem is Pollard’s rho method [83], and takes
about
1
"~ ~
6
y
steps. If ~ , then the expression (2) represents an infeasible amount of compu-
tation; thus the DSA is not vulnerable to this attack. However, note that there are two
primary security parameters for DSA, the size of and the size of . Increasing one
without a corresponding increase in the other will not result in an effective increase
in security. Furthermore, an advance in algorithms for either one of the two discrete
logarithm problems could weaken DSA.
S ECURE G ENERATION OF PARAMETERS. In response to some criticisms received
on the first draft (see Rueppel et al. [86] and Smid and Branstad [99]), FIPS 186
specified a method for generating primes and “verifiably at random”. This fea-
ture prevents an entity (e.g., a central authority generating domain parameters to be
shared by a network of entities) from intentionally constructing “weak” primes and
for which the discrete logarithm problem is relatively easy. For further discussion
of this issue, see Gordon [34]. FIPS 186 also specifies two methods, based on DES
and SHA-1, for pseudorandomly generating private keys 7 and per-message secrets
B . FIPS 186 mandates the use of these algorithms, or any other FIPS-approved
security methods.
3 Finite Fields
We provide a brief introduction to finite fields. For further information, see Chapter 3
of Koblitz [52], or the books by McEliece [61] and Lidl and Niederreitter [59].
A finite field consists of a finite set of elements together with two binary operations
on , called addition and multiplication, that satisfy certain arithmetic properties. The
order of a finite field is the number of elements in the field. There exists a finite field of
order if and only if is a prime power. If is a prime power, then there is essentially
only one finite field of order ; this field is denoted by ' . There are, however, many
ways of representing the elements of ' . Some representations may lead to more
efficient implementations of the field arithmetic in hardware or in software.
If CR where is a prime and A is a positive integer, then is called the character-
istic of ' and A is called the extension degree of ' . Most standards which specify
the elliptic curve cryptographic techniques restrict the order of the underlying finite
field to be an odd prime (C ) or a power of 2 (C~ 6 . In
3.1, we describe the el-
ements and the operations of the finite field . In
3.2, elements and the operations
of the finite field are described, together with two methods for representing the
field elements: polynomial basis representations and normal basis representations.
Let be a prime
number. The finite field , called a prime field, is comprised of the
set of integers K-2]"2T~52h{h{h{2n:V with the following arithmetic operations:
3 If ¡2T¢DQ , then £PI¢¤H , where H is the remainder when £P^¢ is
divided by and K8H8/¥ . This is known as addition modulo .
§¦p¨©]«ªR©
¬¡® If ¡2T¢C , then ¯S¢°±O , where O is the remainder when ²¯V¢
The field , called a characteristic two finite field or a binary finite field, can be
viewed as a vector space of dimension A over the field which consists of the two ¼
elements K and . That is, there exist A elements ½ 2T½ 2h{h{h{2T½ ! in such that
each element ½Q can be uniquely written in the form:
½¾I ½ Pp ½ P^¯h¯h¯VP ! ½ ! 2 where @¿¹ K-2]V
{
Such a set ½ 2T½ 2h{h{h{2T½ ! is called a basis of over
1
. Given such a ba-
sis, a field element ½ can be represented as the bit string {h{h{T ! 6 . Addition
of field elements is performed by bitwise XOR-ing the vector representations. The
multiplication rule depends on the basis selected.
There are many different bases of over . Some bases lead to more efficient
software or hardware implementations of the arithmetic in than other bases.
ANSI X9.62 permits two kinds of bases: polynomial bases and normal bases.
of length A , so that
@1
! {h{h{T 6 Æ ¿ K-2]Va
{
The multiplicative identity element (1) is represented by the bit string of all 1’s, while
the additive identity element (0) is represented by the bit string of all 0’s.
`æç$èêé"ëÇìíìïîhðqæñòqó®ôõ]ö ÷jøùêúûç(üýwýwú(þVÿRèVúÍüìíìíü }þ
wçûùïèêúûù}ëYüTù ú(ìíú(çûèíþ
ÜèVú
aúûþ]èëTþVüÇýÌëTì ë
`
ýÓëÇìíìR ë
a ü Vìíú !YüTùè
"ë4ù è }çûéVì}ëT#
ù "ÇëÇìíéVúÜ ü ð Lë$ ýÓëTì}ìRë#
aüVìíú 5ëÇþ"ÿ%ÍüÇùèVú& ú
` b
"ë4ù è íç(éVì}ëT'ù "ëTì}éS&ú -ü( ëÇþ"#
`
ÿ
b
ð ®ë' ýÓëÇìíì]
Ù
ë '
aü Vìíú ö )*ü &ú "júûùðèSú æ3ñ¹òqóaô¶õ +,¡ç(üýwýïè èêú(úRë
Çùêú(úÿ
íþ9 æ
qù í-
ì ,(õõÇõwèêüÐ.ç VëÇ þ
Çúè ùêú(ç(üýwýwúûþ"ÿVë4è íü/ þ }þ<0 ë YüÇù è Sç(üý í þ
Ðùê&ú "1}üÇþ9ü ®æ3ñ¹ò]óôõ]ö ÷jøÜèêüÐè Sú¹üþVú
"júûþNë aü " ú íþºüTùÿSúûùèê0 ü aú¶çûü þ nèêú(þh!
è ïè °è Vú33ó 242526,7Ç÷ 78 ø 9 9 9wëTþ"/ ÿ +-3ó :¡;ò ,<*÷ 8øLùêú(ç(üÇýwýwú(þ"ÿSëTè íü
þ (ö
=
F IELD O PERATIONS. The following arithmetic operations are defined on the elements
of when using a GNB of type ã :
1 1
3 : Ifm : {h{h{Ç ! 6 and ¢ ¢ ¢ {h{h{Ç¢ ! 6 are elements of ,
1nm m m m 1 )
+5,
then °P¢* {h{h{ ! 6 , where ¿
ɿ-Pʢǿ6 ~ . That is, field addition
is performed bitwise.1
?>!@¨u3· «A : Let {h{h{T ! 6*D . Since squaring is a linear operation in
,
B
! ! !
C Ý âED C Ý âGF ` C Ý â 1
@¿ É¿ É¿ ! ! {h{h{T ! 6Ç2
¿tá ¿tá ¿tá
with indices reduced modulo A . Hence squaring a field element can be accom-
plished by a simple rotation of the vector representation.
§¦p¨©]«ªR©
¬¡® : Let D>ã°AP and let \/D be an element of order ã . Define
1 1 1
the sequence q6Ç24 ~
6Ç2h{h{h{¹24 :q6 by
1 ¿ )+5,
~ \IH 6¹IÄ for K8ÄL8:Aß: , K8KJ8pã>¥"{
1 1 m
If1nm m { {h{
h ! 6 and ¢w ¢ ¢ {h{h{¢ ! 6 are elements of , then Ó¯(¢Ó
m
{h{h{ ! 6 , where
a! L L
$# #
P à á %( IR T ¢ R "! if ã is even 2
Mm L G 1 G LS S L S
G L L
NO à á ! ¢ %( ! P
p (% ! ¢ ! 6
G G T "
S ! S GMS L L S GTS GTS
P à R
$# ¢ R " ! # if ã is odd 2
á
OQ G M
G S S G S
for each U , K8VU8Aß: , where indices are reduced modulo A .
³T ¶´ µ®·¸hn3 If is a non-zero element in , the inverse of in , denoted
! m m
, is the unique element D for which ²¯ 0 .
Example 3. (A Gaussian normal basis representation of the finite field Î ) For the
type ã±f GNB for Î , let \Åf|; v be an element of order . The sequence of
1
Äû6 ’s is:
1 1 1 1XW 1Y 1Z
q6LKº ~
6Ü0*
6IK> 6~ 6Ü0 6Ü0
1[ 1 1 1 1 1
6L ° »
6ÜN |
6IK< hKÉ6Ü~º aq6LN ]~
6Ü~ .
mML
The formulas for the product terms are:
m 1 1 1 1
: ¢ P¢ Pp¢ v 6uP ¢ P¢ 6Pp ¢ P:¢ 6uP v ¢ P¢ v 6
m 1 1 1 1
: ¢ P¢ v Pp¢ 6uP ¢ P¢ v 6Pp v ¢ P:¢ 6uP ¢ P¢ 6
m 1 1 1 1
: ¢ v P¢ Pp¢ 6uP v ¢ P¢ 6Pp ¢ P:¢ v 6uP ¢ P¢ 6
m 1 1 1 1
v : v ¢ P¢ Pp¢ u
6 P ¢ v P¢ 6Pp ¢ v P:¢ 6uP ¢ v P¢ 6Ç{
1 1 m 1
For example, if hKaKaKÉ6 and ¢Ó ahKÈq6 , then I £¯q¢w KaKÈhKÉ6 . \^]
S ELECTING A G AUSSIAN N ORMAL B ASIS. ANSI X9.62 specifies the following rules
for selecting a GNB for representing the elements of (when A is not divisible by
8).
1. If there exists a type 2 GNB of , then this basis must be used.
2. If there does not exist a type 2 GNB of , but there does exist a type 1 GNB,
then the type 1 GNB must be used.
3. If neither a type 1 nor a type 2 GNB of exists, then the GNB of smallest type
must be used.
The selection of type 2 GNBs over type 1 GNBs was somewhat arbitrary — both
types of GNBs admit efficient implementation of field arithmetic. This is not a practical
concern since finite fields which have both type 1 and type 2 GNBs are relatively
scarce — the only such fields with A between 160 and 600 are b$``_ and Ùa3b .
Neither of these two fields are among those recommended by NIST (see
10.2).
Example
v
4. (elliptic
W
curve over v ) Let ^ ~a and consider the elliptic curve e Æ
= ^7
W
P7²P defined
W v
over W v . W (In theW notation
[ Z
of equation (3), we have 0 and
1 )+5,
¢* .) Note that P1~ ¢ P a~² ~a~ ~a
6 , so e is indeed an elliptic
curve. The points in e v 6 are f and the following:
1 1 1 1 1XW [ 1XW Z 1[
K-2T~
6 K-2T~-q6 "2]aq6 "2]]~
6 2 6 2] 6 2T
6
1[ 1 1 Y 1 1 1 Y 1
2T~"KÉ6 »52T»
6 »52] 6 |52]aq6 |52]]~
6 hK-2 6 hK-2]]»
6
1 1 W 1 1 1 W Y 1 W 1 Y Z
a"2T|
6 a"2] 6 ]52]aq6 ]52]]~
6 2 6 2]]»
6 2 6
1 Y [ 1 [ 1 [ W 1 1 W 1 Y 1
2] 6 2T|
6 2] 6 ]»52T|
6 ]»52] 6 ~a~52 6 ~a~52]]|
6 . \^\
A DDITION F ORMULA. There is a1 rule, called the chord-and-tangent rule, for adding
two points on an elliptic curve e 6 to give1 a third elliptic curve point. Together with
this addition operation, the set of points e 6 forms a group with f serving as its
identity. It is this group that is used in the construction of elliptic curve cryptosystems.
1 1
The addition rule is best explained geometrically. Let g¤ 7 2= 6 and h 7 2= 6
be two1 distinct points on an elliptic curve e . Then the sum of g and h , denoted
i
7 v 2= v 6 , is defined as follows. First draw the line through g and h ; this line
i
intersects the elliptic curve in a third point. Then is the reflection of this point in
the 7 -axis. This is depicted in Figure 1. The elliptic curve in the figure consists of two
parts, the ellipse-like figure and the infinite curve.
t k
m b n3ohb
p
rsk m
&` noS`
jlk m
Ù noÙ
u vGwIxTyxz ú(üýwúûè ùíçÿqú& çûù SèíüþNüÈèVúëÿVÿ{ïè}üÇþ<üÈè| üwÿ{nè}þSçûèú(ìíì Sèíçç(éSù"jú aü íþhè& r~} t k6j ö
1 i 1
If gf 7 2= 6 , then the double of g , denoted 7 v 2= v 6 , is defined as follows. First
draw the tangent line to the elliptic curve at g . This line intersects the elliptic curve
i
in a second point. Then is the reflection of this point in the 7 -axis. This is depicted
in Figure 2.
The following algebraic formulae for the sum of two points and the double of a point
can now be derived from the geometric description.
1
g PVfÃfPg±g for all g§le 6 .
1. >
1 1 1 1 1
2. If g 732=®6Ve 6 , then 72=È6¹P 72]w=È6Jf . (The point 732]w=®6 is denoted
by g , and is called the negative of g ; observe that /g is indeed a point on the
curve.) \
rsk
m ` no `
jlk
m ÙnojÙ
1 1 1 1
3. (Point addition) Let g 2= 7 6e 6 and h 7 2= 6ze 6 , where
1
gß . h . Then g^PVh× 7 v 2 = v 6 , where
= ¾ = = Ê= 1
7 v ¾7 Ê7 and = v 7 ¾7 v 6¶¾= {
7 ¾7 7 Ê 7
1 1 1
4. (Point doubling) Let gß 7 2= 6Je 6 , where g Ñ
. g . Then (~ g 7 v 2= v 6 ,
where
V7 Pp V7 Pp 1
7 v z~V7 and = v 7 Ê7 v 6¾= {
~V= ~V=
1
Observe that the addition of two elliptic curve points in e 6 requires a few arith-
metic operations (addition, subtraction, multiplication, and inversion) in the underly-
ing field .
Example 5. (elliptic curve addition) Consider the elliptic curve defined in Example 4.
1XW [ 1 1
1. Let g± 2 6 and h± ]52]aq6 . Then g>Ph× 7 v 2= v 6 is computed as follows:
[
aÓ W W Y 1 )+5,
7 v W :]J ]²Ã°»C0 ~a
6Ç2 and
]9
1XW Y [ W Z 1 )+5,
= v : 6 0 KJ ~a
6Ç{
1 Y Z
Hence g^PVh× 2 6 . \
1XW [ 1
2. Let g± 2 6 . Then (~ gfg^Pg± 7 v 2= v 6 is computed as follows:
1XW
6uP Y [ 1 )+-,
7 v W z»JÃ z»J~- fhK ~a
6Ç2 and
YÈ1XW [ [ 1 )+5,
= v 0 :hKÉ6 0°| 0]» ~a
6Ç{
1
Hence (~ g0 hK-2]]»
6 .
1 1
where 2T¢ Q
¡ , and ¢§ . K . The set e 6 consists of all points 72=È6 , 7¥ ,
=0Â , which
satisfy the defining equation (4), together with a special point f
called the point at infinity.
Example 6.1 (elliptic curve over Î ) Consider Î as represented by the irreducible
trinomial À 7 6² 7¡ÏºP>7DP0 (see Example 2 of
3). Consider the elliptic curve e Æ
v
= P:7¡=Ã7 P>½ Ï 7 P± over Î . (In the notation of equation (4), we have §½ Ï
1
and ¢w0 .) Note that ¢£I . K , so e is indeed an elliptic curve. The points in e Î 6 are
f and the following:
1 1 1 v 1 v 1 v v 1 v
K-2]q6 "2T½ 6 "2T½ 6 ½ 2T½ÕS6 ½ 2T½ 6 ½3Ò"2T½ 6
1 1 1 1 1 v 1
½ Ò 2T½ 6 ½ 2T½ 6 ½ 2T½ Ï 6 ½Ö"2T½ 6 ½3Ö"2T½ 6 ½ 2T½¶6
1 1 Õ 1
½ 2T½ÕS6 ½ 24KÉ6 ½ 2T½ 6 .
U
1 1 1 1
3. (Point addition) Let g 7 2= 6e 6 and h 7 2= 6e 6 , where
1
gß . h . Then g^PVh× 7 v 2= v 6 , where
= PQ= = Pp=
7 v P PQ7 Pp7 Pp and
7 PQ7 7 Pp7
= PQ= 1
= v 7 PQ7 v 6PQ7 v PQ= {
7 P 7
Q
1 1 1
4. (Point doubling) Let gà 7 2= 6Óe 6 , where gØ . g . Then (
~ gà 7 v 2= v 6 ,
where
¢ =
7 v I7 P and = v ^7 P 7 P v v
7 PQ7 {
7 7
Example 7. (elliptic curve addition) Consider the elliptic curve defined in Example 6.
1 1 v v 1
1. Let g ½ 2T½Õq6 and h ½ 2T½ 6 . Then gPh 7 v 2= v 6 is computed as
follows:
v v
½ Õ : P ½ ½ Õ pP ½ v
7 v v
P v P½ P½ P½ Ï
½ Pp½ ½ P½
v v
½ ½ v
P P:½ P½ P½ Ï 0
½ ½
and
v v
½3ÕLP:½ 1 ½ 1 v v
= v v
½ PIq63PIÜP½ Õ
½ 6P½ ½ {
½ P½ ½
1 v
Hence g^PV h× "2T½ 6 .
1 1
2. Let g± ½ 2T½ Õ 6 . Then ~(g±g^Pg± 7 v 2= v 6 is computed as follows:
1 v
7 v ½ 6 P 1 ½ P:½ ½ and
½ 6
1 ½ Õ v
= v ½ 6 P ½ P
½ P:½ ½ P½ P½ ½ Õ {
½
1
Hence (~ g0 ½ 2T½ Õ 6 . \É
4.3 Basic Facts
G ROUP O RDER. Let e be an elliptic curve over a finite field ' . Hasse’s theorem
states that the number of points on an elliptic curve (including the point at infinity) is
1
' 1
'
e 6IÓP w where ]-8¥~ ; e 6 is called the order of e and is called
1
the trace of e . In other words, the order of an elliptic curve e ' 6 is roughly equal to
the size of the underlying field.
1 1
G ROUP S TRUCTURE. e ' 6 is an abelian group of rank 1 or 2. That is, e ' 6 is
isomorphic to , where divides , for unique positive integers and .
` b
Here, 1 denotes the cyclic group of order . Moreover, divides C> . If ,
1
'
then e 6 is said to1 be cyclic. In this '
case e 6 is isomorphic to , and there
1 `
' '
exists a point g e 1 6 such that e 6Ü B'g Æ K8IB;8 >V ; such a point is
called a generator of e ' 6 .
1
Example 8. (cyclic elliptic curve) Consider the1 elliptic curve e v 6 defined in Exam-
1
ple 4. Since e v 6¹ 1 ~a| , which is prime, e 1 v 6 is cyclic and any point other than
5.1 describes the requirements for what constitutes “suitable” domain parameters.
In
5.2, a procedure is specified for generating elliptic curves verifiably at random.
5.3 outlines a method for generating domain parameters, while
5.4 presents a
procedure for verifying that a given set of domain parameters meets all requirements.
4. Let µ be the integer whose binary expansion is given by the -bit string §(¨I¨^©ª .
5. For Ä from to O do:
1
4.1. Let)O]+5¿ , be the -bit string which is the binary expansion of the integer µP
Äû6 ~¶ .
1
4.2. Compute ´Å¿ SHA-1 Oq¿ê6 .
6. Let ´ be the bit string obtained by concatenating ´ 2´ 2h{h{h{32´· as follows:
´ ´ ¸ ´ ¸ ¯h¯h¯ ¸ ´ · . \aÛ
7. Let H be the W integer[ whose binary expansion is given by ´ .
1 )+-,
8. If HJIK or if H°P~ IK 6 then go to step 1. v*)+-,
9. Choose arbitrary integers ¡2T¢/ , not both K , such that HC¯"¢ Ã . (For
example, one may take ^H and ¢Ó^H .) v
10. The elliptic curve chosen over is e Æ = ^7 PQ É7P¢ .
11. Output( §(¨I¨^©ª , , ¢ ).
I SOMORPHISM C LASSES OF E LLIPTIC C URVES OVER . Two elliptic curves e Æ
v v
= ^7 P 7P¢ and e Æ =
^7 P 7P¢ defined over are isomorphic over if
and only if there exists \/ , \pI . K , such that >\¡Ï] and ¢ ^\ ¢ . (Isomorphic
elliptic curves 1 are essentially1
the same. In particular, if e is isomorphic to e , then
the groups e 6 and e 6 are isomorphic as abelian groups.) Observe that if e
Ù
Ù
and e are isomorphic and ¢ Ñ
. K (so ¢ Ñ
. K ), then ¹ º
»¹ º b . The singular elliptic
`
b b
v ` W vb [ 1 )+-,
curves, i.e., the curves e Æ = 7 P× É7;P±¢ for which × P ~ ¢
K 6 ,
º Ù
are precisely those which either have I K and ¢Å K , or ¹ b Ô . If H>f ,
Ï Æ =
H/Ã . K , H¾. Ô , then there are precisely 2 isomorphism classes of curves e
v Ï 1 )+5,
Ùº
7 P× É7P±¢ with ¹ H 6 . Hence, there are essentially only 2 choices for
1 b
R2T¢h6 in step 9 of Algorithm 1. The conditions HÅf . K and HÅ. Ô imposed in step 8
Ï
ensure the exclusion of singular elliptic curves. Finally, we mention that this method
of generating curves will never produce the elliptic curves with ¥ K , ¢:. K , nor
the elliptic curves with Ã. K , ¢ K . This is not a concern because such curves
constitute a negligible fraction of all elliptic curves, and therefore are unlikely to ever
be generated by any method which selects an elliptic curve uniformly at random.
T HE T WIST
v
OF AN E LLIPTIC
C URVE
v
OVER m v . The non-isomorphic
m m
elliptic curves e Æ
= ^7 PJ É73P²¢ and e Æ = I7 PJ 7 P²¢ , where l is a quadratic non-residue
modulo , are said to be twists of each other. Note that both these curves have the
1 1
same H value. Their orders are related by the equation e 65P e 6 ~Ç°PÅ~ .
1 1
Thus, if one is able to compute e 6 , then one can easily deduce e 6 .
3. Let µ be the integer whose binary expansion is given by the -bit string §(¨I¨^©ª .
4. For Ä from to O do: \
=
1
4.1. Let)O]+5¿ , be the -bit string which is the binary expansion of the integer µP
Äû6 ~¶ .
1
4.2. Compute ´ ¿ SHA-1 O ¿ 6 .
5. Let ´ be the bit string obtained by concatenating ´ 2´ 2h{h{h{32´· as follows:
´½¼È´ ¸ ´ ¸ ¯h¯h¯ ¸ ´· .
6. Let H(¼ be
thev integer whose binary expansion is given by ´½¼ .
1 )+-,
7. If H ¼ ¯q¢ I 6 then accept; otherwise reject.
T HE T WIST OF ANv E LLIPTIC
C URVE OVER . The non-isomorphic
v
elliptic curves 1
e Æ = PI7R=:Ø7 P 7 P ¢ and e Æ = P7R=: 7 P 7 P ¢ where ¾¿ 6Å.
1
¾¿ 6 are said to be twists of each other. Their orders are related by the equation
1
6ÓP e 6¾
1 1
e ~ 0S PÃ~ . Thus, if one is able to compute e 6 ,
1
then one can easily deduce e 1 6 . The order of an
1 )+-, W
elliptic curve over is
1 1
always
1 )+5, W
even.1 Furthermore, e 6ÜIK 6 if ¾¿ 6LK , and e 6 ~
6 if ¾¿ 6à .
when is odd; the algorithm was later extended to the case of / ~ by Koblitz \
[50]. Schoof’s algorithm
is rather inefficient in practice for the values of of practical
interest (i.e. Åc¥~ ). In the last few years a lot of work has been done on improving
and refining Schoof’s algorithm, now called the Schoof-Elkies-Atkin (SEA) algorithm;
for example, see Lercier and Morain [58] and Lercier [56]. With these improvements,
cryptographically suitable elliptic curves over fields whose orders are as large as ~
can be randomly generated in a few hours on a workstation (see Lercier [57] and Izu
et al. [44]). More recently, Satoh [87, 26] presented a new algorithm for point counting
over binary fields that is superior to the SEA algorithm. y
With Satoh’s algorithm, the
number of points on an elliptic curve over for A ~"KaK can be determined in only
a few seconds on a fast PC.
T HE C OMPLEX M ULTIPLICATION (CM) M ETHOD. Another method for generating cryp-
tographically suitable elliptic curves is the CM method. Over the CM method is
also called the Atkin-Morain method [68]; over it is also called the Lay-Zimmer
method [55]. A detailed description of the CM method can be found in IEEE 1363-
2000 [39].
W 1
Let e be an elliptic curve over ' of order Ä . Let ÆI ¹ 3PÊ%ľ6 and write Æ>
Ç²È Ç
where is a squarefree integer. Then e is said to have complex multiplication
Ç Ç
by . If one knows for a given curve, then one can efficiently compute the order
of the curve.
Ç
The CM method first finds a for which there exists an elliptic curve e over '
Ç
with
complex multiplication by and having nearly
prime order Ä (where
is prime), and furthermore where . and does not divide "G× for each
²8IB8I~"K . It then constructs the coefficients of e . The CM method is only efficient
Ç
for small , in which case it is much faster than Schoof’s algorithm. Thus, a potential
drawback of the CM method is that it can only be used to generate elliptic curves
Ç
having complex multiplication by small .
KOBLITZ C URVES. These curves, also known as anomalous binary curves, were first
proposed for cryptographic use by Koblitz [51]. They are elliptic curves over
whose defining
equations
v
have coefficients
inv . Thus,
there are two Koblitz curves
over
: = P7¡=;Ã7 P± and = P:7R=;Â7 P:7 P× . Solinas [100, 102], building
on earlier work of Meier and Staffelbach [62], showed how one can compute B'g
very efficiently for arbitrary B where g is a point on a Koblitz curve. Since performing
such scalar multiplications is the dominant computational step in ECDSA signature
generation and verification (see
7), Koblitz curves are very attractive for use in the
ECDSA.
tice include: (i) prevention of malicious insertion of invalid domain parameters which
may enable some attacks; and (ii) detection of inadvertent coding or transmission
errors. Use of an invalid set of domain parameters can void all expected security
properties.
An example of a concrete (albeit far-fetched) attack that can be launched if domain
parameter validation for a signature scheme is not performed was demonstrated by
Blake-Wilson and Menezes [11]. The attack is on a key agreement protocol which
employs the ElGamal signature scheme.
Ç
M ETHODS FOR VALIDATING D OMAIN PARAMETERS . The assurance that a set
1
@2*¥¦²24 R2T¢S2¡£2 , 6 of EC domain parameters is valid can be provided to an entity
using one of the following methods:
@
1
11. Compute ¼R¯ ÓPIq6 ° and verify that -¼ .
12. Verify that does not divide G : for each B , C8¥BD8¥~"K .
13. Verify that . .
Ç Ç
14. If any verification fails, then is invalid ; otherwise is valid.
qU
6.2 Public Key Validation
Public key validation, as first enunciated by Johnson [46], ensures that a public key
has the requisite arithmetical properties. Successful execution of this routine demon-
strates that an associated private key logically exists, although it does not demon-
strate that someone actually has computed the private key nor that the claimed
owner actually possesses the private key. Reasons for performing public key vali-
dation in practice include: (i) prevention of malicious insertion of an invalid public key
which may enable some attacks; and (ii) detection of inadvertent coding or transmis-
sion errors. Use of an invalid public key can void all expected security properties.
An example of a concrete attack that can be launched if public key validation is not
performed was demonstrated by Lim and Lee [60]. The attack is on a Diffie-Hellman-
based key agreement protocol.
M ETHODS FOR VALIDATING P UBLIC K EYS. The assurance that a public key h is valid
can be provided to an entity using one of the following methods:
of the CA’s choice, or by using zero-knowledge techniques (see Chaum, Evertse and
van de Graaf [19]). Note that proof of possession of a private key provides different
assurances from public key validation. The former demonstrates possession of a
private key even though it may correspond to an invalid public key, while the latter
demonstrates validity of a public key but not ownership of the corresponding private
key. Doing both provides a high level of assurance.
1
Thus \ ¡¥PQ\ h± \ PQ\ 5
É 6¡fB-¡ , and so cIH as required.
C ONVERSION B ETWEEN DATA T YPES. ANSI X9.62 specifies a method for converting
field elements to integers. This is used to convert the field element 7 to an integer
in step 2 of signature generation and step 6 of signature verification prior to com-
)+5,
puting 7 . ANSI X9.62 also specifies a method for converting bit strings to
integers. This is used to convert the output M of SHA-1 to an integer prior to its use
in the modular computation in step 5 of signature generation and step 2 of signature
verification.
C OMPARING DSA AND ECDSA. Conceptually, the ECDSA is simply obtained from
the DSA by replacing the subgroup of order of generated by with the subgroup
of points on an elliptic curve that are generated by ¡ . The only significant difference
between ECDSA and DSA)is +-,
in the generation of H . The DSA does this by taking the
random element E f G and reducing it modulo , thus obtaining an integer
in the interval XY"24£Z . The ECDSA generates H in the interval XY"2 Z by taking
the 7 -coordinate of the random point B-¡ and reducing it modulo . Ë
8 Security Considerations
The security objective of ECDSA is to be existentially unforgeable against a chosen-
message attack. The goal of an adversary who launches such an attack against
a legitimate entity is to obtain a valid signature on a single message A , after
having obtained ’s signature on a collection of messages (not including A ) of the
adversary’s choice.
Some progress has been made on proving the security of ECDSA, albeit in strong
theoretical models. Slight variants of DSA and ECDSA (but not ECDSA itself) have
been proven to be existentially unforgeable against chosen-message attack by Point-
cheval and Stern [82] (see also [14]) under the assumptions that the discrete loga-
rithm problem is hard and that the hash function employed is a random function.
ECDSA itself has been proven secure by Brown [15] under the assumption that the
underlying group is a generic group and that the hash function employed is collision
resistant.
The possible attacks on ECDSA can be classified as follows:
This section summarizes the current knowledge of these attacks and how they can
be avoided in practice.
Known Attacks
This subsection overviews the algorithms known for solving the ECDLP and dis-
cusses how they can be avoided in practice.
2. P OHLIG -H ELLMAN A LGORITHM
. This algorithm, due to Pohlig and Hellman [81],
exploits the factorization of , the order of the point g . The algorithm reduces the
problem of recovering U to the problem of recovering U modulo each of the prime
factors of ; the desired number U can then be recovered by using the Chinese
Remainder Theorem.
The implications of this algorithm are the following. To construct the most difficult
instance of the ECDLP,
one must select an elliptic curve whose order is divisible
by a large prime . Preferably, this order should be a prime or almost a prime
(i.e. a large prime times a small
integer ). For the remainder of this section,
we shall assume that the order of g is prime.
3. B ABY-S TEP G IANT-S TEP A LGORITHM. This algorithm is a time-memory
trade-off
of the method of exhaustive search. It requires storage for about points, and
its running time is roughly steps in the worst case.
4. P OLLARD ’ S R HO A LGORITHM
. This algorithm, due to Pollard [83], is a random-
ized version of the baby-step
giant-step algorithm. It has roughly the same ex-
pected running time ( "~ steps) as the baby-step giant-step algorithm, but is
superior in that it requires a negligible amount of storage.
Gallant, Lambert and Vanstone [31], and Wiener and Zuccherato [111] showed
how Pollard’s rho algorithm can be sped up by a factor of 1 ~ . Thus the expected
running time of Pollard’s rho method with this speedup is 6"~ steps.
5. PARALLELIZED P OLLARD ’ S R HO A LGORITHM. Van Oorschot and Wiener [80]
showed how Pollard’s rho algorithm can be parallelized so that when the algo-
rithm is run in parallel on H processors, the expected running time of the algo-
1 1
rithm is roughly 6 ~VH
6 steps. That is, using H processors results in an H -fold
speed-up.
6. P OLLARD ’ S LAMBDA METHOD. This is another randomized algorithm due to Pol-
lard [83]. Like Pollard’s rho method, the lambda method can also be parallelized
with a linear speedup. The parallelized lambda-method is slightly slower than the
parallelized rho-method [80]. The lambda-method is, however, faster in situations
when the logarithm
being sought is known to lie in a subinterval X K-2T¢TZ of X K-2 ÊZ ,
where ¢ Ú K-{}a| [80].
7. M ULTIPLE L OGARITHMS. R. Silverman and Stapleton [97] observed that if a sin-
gle instance of the ECDLP (for a given elliptic curve e and base point g ) is
solved using (parallelized) Pollard’s rho method, then the work done in solving
this instance can be used to speed up the solution of other instances of the
ECDLP (for the same curve e and base point g ). More precisely, if the first
instance
1
takes
y W
expected time , then the second instance takes expected time
~ q6. K-{ M . Having solved these two instances, the third instance takes
1 y
expected time D ~
6. K-{}a~ . Having solved these three instances, the
1 W y [
fourth instance takes expected time
6. K-{}~ . And so on. Thus subse-
quent instances of the ECDLP for a particular elliptic curve become progressively
I=
easier. Another way of looking at this is that solving B instances of the ECDLP
(for the same curve e and base point g ) takes only B as much work as it does
to solve one instance of the ECDLP. This analysis does not take into account
storage requirements.
Concerns that successive logarithms become easier can be addressed by ensur-
ing that the elliptic parameters are chosen so that the first instance is infeasible
to solve.
8. S UPERSINGULAR E LLIPTIC C URVES. Menezes, Okamoto and Vanstone [64, 63]
and Frey and Rück [29] showed how, under mild assumptions, the ECDLP in an
elliptic curve e defined over a finite field ' can be reduced to the ordinary DLP
in the multiplicative group of some extension field 'Í for some Bs±× , where the
number field sieve algorithm applies. The reduction algorithm is only practical if
B is small — this is not the case for most elliptic curves, as shown by Balasubra-
manian and Koblitz [6]. To ensure that the reduction
algorithm does not apply to
a particular curve, one only needs to check that , the order of the point g , does
not divide G z for all small B for which the DLP in '&Í is tractable — in practice,
when c¥~ then C8¥BD8>~"K suffices [3].
An elliptic curve e over ' is said to be supersingular if the trace of e is divisi-
ble by the characteristic of ' . For this very special class of elliptic curves, it is
Z
known that B8 . It follows that the reduction algorithm yields a subexponential-
time algorithm for the ECDLP in supersingular curves. For this reason, supersin-
gular curves are explicitly excluded from use in the ECDSA by the above divisi-
bility check.
More generally, the divisibility check rules out all elliptic curves for which the
ECDLP can be efficiently reduced to the DLP in some small extension of ' .
These include the supersingular elliptic curves and elliptic curves of trace 2 (el-
1
liptic curves e over ' for which e ' 6¹I<: ).
9. P RIME -F IELD A NOMALOUS C1 URVES. An elliptic curve e over is said to be
prime-field-anomalous if e 6< . Semaev [93], Smart [98], and Satoh and
Araki [88] showed how to efficiently solve the ECDLP for these curves. The attack
does not extend to any other classes of elliptic curves. Consequently, by verifying
that the number of points on an elliptic curve is not equal to the cardinality of
the underlying field, one can easily ensure that the Semaev-Smart-Satoh-Araki
attack does not apply.
10. C URVES D EFINED OVER A S MALL F IELD. Suppose that e is an elliptic curve
defined over the finite field Î . Gallant, Lambert and Vanstone [31], and Wiener
and Zuccherato [111] showed 1
how Pollard’s rho algorithm for computing
elliptic
curve logarithms in e X
Î Ï 6 can be further sped up by a factor of É — thus
1
the expected running time of Pollard’s rho method for these curves is É-6"~
steps. For example, if e is a Koblitz curve (see 1
5.3), then Pollard’s rho algorithm
for computing elliptic curve logarithms in e 6 can be sped up by a factor of ]
A . This speedup should be considered when doing a security analysis of elliptic
curves whose coefficients lie in a small subfield.
11. C URVES D EFINED OVER , A C OMPOSITE. Galbraith and Smart [30], expand-
ing on earlier work of Frey [27, 28], discuss how the Weil descent might be used
to solve the ECDLP for elliptic curves defined over where A is compos-
ite (such fields are sometimes called composite fields). More recently, Gaudry,
Hess and Smart [32] refined these W
ideas to provide some evidence that when A
has a small divisor U , e.g. U* , the ECDLP for elliptic curves defined over
can be solved faster than with Pollard’s rho algorithm. See also Menezes and Qu
[66] for an analysis of the Weil descent attack. In light of these results, it seems
prudent to not use elliptic curves over composite fields.
It should be noted that some ECC standards, including the draft ANSI X9.63 [4],
explicitly exclude the use of elliptic curves over composite fields. The ANSI X9F1
committee agreed in Jan 1999 to exclude the use of such curves in a forthcoming
revision of ANSI X9.62.
12. N ON -A PPLICABILITY OF I NDEX -C ALCULUS M ETHODS. Whether or not there ex-
ists a general subexponential-time algorithm for the ECDLP is an important un-
settled question, and one of great relevance to the security of ECDSA. It is ex-
tremely unlikely that anyone will ever be able to prove that no subexponential-
time algorithm exists for the ECDLP. However, much work has been done on the
DLP over the past 24 years, and more specifically on the ECDLP over the past 16
years, and no subexponential-time algorithm has been discovered for the ECDLP.
Miller [67] and J. Silverman and Suzuki [96] have given convincing arguments for
why the most natural way in which the index-calculus algorithms can be applied
to the ECDLP is most likely to fail.
13. X EDNI -C ALCULUS ATTACKS. A very interesting line of attack on the ECDLP, called
the xedni-calculus attack was recently proposed by J. Silverman [95]. One in-
triguing aspect of the xedni-calculus is that it can be adapted to solve both the
ordinary discrete logarithm and the integer factorization problems. However, it
was subsequently shown by a team of researchers including J. Silverman (see
Jacobson et al. [45]) that the attack is virtually certain to fail in practice.
14. H YPERELLIPTIC C URVES. Hyperelliptic curves are a family of algebraic curves
of arbitrary genus that includes elliptic curves. Hence, an elliptic curve can be
viewed as a hyperelliptic curve of genus 1. Adleman, DeMarrais and Huang [1]
(see also Stein, Müller and Thiel [106]) presented a subexponential-time algo-
rithm for the discrete logarithm problem in the jacobian of a large genus hyperel-
liptic curve over a finite field. However, in the case of elliptic curves, the algorithm
is worse than naive exhaustive search.
15. E QUIVALENCE TO OTHER D ISCRETE L OGARITHM P ROBLEMS. Stein [105] and
Zuccherato [113] showed that the discrete logarithm problem in real quadratic
congruence function fields of genus 1 is equivalent to the ECDLP. Since no \
subexponential-time algorithm is known for the former problem, this may provide
further evidence for the hardness of the ECDLP.
Experimental Results
The best general-purpose algorithm known for the ECDLP is the parallelized
1 1
version
of Pollard’s rho algorithm which has an expected running time of 6 ~VH
6 steps,
where is the (prime) order of the base point g , and H is the number of processors
utilized.
C ERTICOM ’ S ECC C HALLENGE. Certicom initiated an ECC challenge [18] in Novem-
ber 1997 in order to encourage and stimulate research on the ECDLP. Their chal-
lenges consist of instances of the ECDLP on a selection of elliptic curves. The chal-
lenge curves are divided into three categories listed below. In the following, ECCp- B
denotes a random curve over a field , ECC2- B denotes a random curve over a field
, and ECC2K- B denotes a Koblitz curve (see
5.3) over ; B is the bitlength of
. In all cases, the bitsize of the order of the underlying finite field is equal or slightly
greater than B (so curves have either prime order or almost prime order).
1. Randomly generated curves over , where is prime: ECCp-79, ECCp-89,
ECCp-97, ECCp-109, ECCp-131, ECCp-163, ECCp-191, ECCp-239, and ECCp-
359.
2. Randomly generated curves over , where A is prime: ECC2-79, ECC2-89,
ECC2-97, ECC2-109, ECC2-131, ECC2-163, ECC2-191, ECC2-238, and ECC2-
353.
3. Koblitz curves over , where A is prime: ECC2K-95, ECC2-108, ECC2-130,
ECC2-163, ECC2-238, and ECC2-358.
R ESULTS OF THE C HALLENGE. Escott et al. [25] report on their 1998 implementation
of the parallelized Pollard’s rho algorithm which incorporates some improvements
of Teske [107]. The hardest instance of the ECDLP they solved was the Certicom
ECCp-97 challenge. For this task they utilized over 1200 machines from at least
16 countries, and found the answer in 53 days. The total number of steps exe-
cuted wasy about ~ hK Ï elliptic curve additions which is close to the expected time
Y Qy
(( 6"~ 5{ hK Ï , where ~ Ö Ô ). Escott et al. [25] conclude that the running
time of Pollard’s rho algorithm in practice fits well with the theoretical predictions.
They estimate that the ECCp-109 challenge could be solved by a network of 50,000
Pentium Pro 200MHz machines in about 3 months.
Hardware Attacks
Van Oorschot and Wiener [80] examined the feasibility of implementing parallelized
py
Pollard’s rho algorithm using special-purpose hardware. They estimated that if
a
v y
hK ~
, then a machine with H/Øa"K-24KaKaK processors could be built for about
US $10 million that could compute a single elliptic curve discrete
logarithm in about
32 days. Since ANSI X9.62 mandates that the parameter should satisfy c~ ,
such hardware attacks appear to be infeasible with today’s technology.
É
VARIABLE O UTPUT L ENGTH H ASH F UNCTIONS L
. It is L expected that SHA-1 will soon
be replaced by a family of hash functions ³ , where ³ is an U -bit hash functionL having
ideal security.
r+
If one uses ECDSA with parameter , then one would use ³ , where
U ¯ ä ° , as the hash function. In this case, attacking ECDSA by solving the
L
ECDLP and attacking ECDSA by finding collisions for ³ , both take approximately
the same amount of time. The new family will have output lengths of 256, 384 and
512 bits [76].
]U
D UPLICATE -S IGNATURE K EY S ELECTION. A signature scheme Ó is said to have the
duplicate-signature key selection (DSKS) property if given ’s public key gÔ and
given ’s1 signature OÔ on a message Õ , an adversary e is able to select a valid
key pair gÖÓ2Ó!ÖL6 for Ó such that OÔ is also e ’s signature on Õ . Note that this defi-
nition requires that Ó!Ö is known to e . Blake-Wilson and Menezes [11] showed how
this property can be exploited to attack a key agreement protocol which employs
signatures scheme. They also demonstrated that if entities are permitted to select
their own domain parameters, then ECDSA possesses the DSKS property. To see
Ç 1
this, suppose that ’s domain parameters are Ô¾ 52*¥¦J24 ¡2T¢S2¡£2 2T¡6 , ’s key pair
1 1
is h×ÔÜ2*É^m Ô6 , andm HS2TO" 6 is ’s signature on Õ 11 . The adversary e selects an arbitrary
m )+-,
Æ ! !
integer , 8 8 f , such that O MJP±O H 6 6Q. K , computes
! ! 1 1 ! )+-,
E 0O M¡>P>O H^h (where MJ SHA-1 Õf66 and ¡Ã 6$E . e then forms
Ç 1 m Ç
Ö± 52*¥¦J24 ¡2T¢S2 ¡2 2T6 and hÖ± ¡ . Then it is easily verified that Ö and hÖ
1
are valid, and that HS2TO"6 is also e ’s signature on Õ .
If one mandates that the generating point ¡ be selected verifiably at random during
domain parameter generation (using a method akin to those in
5.2 for generating el-
liptic curves verifiably at random), then it appears that ECDSA no longer possesses
the DSKS property. It must be emphasized that possession of the DSKS property
does not constitute a weakness of the signature scheme — the goal of a signa-
ture scheme is to be existentially unforgeable against an adaptive chosen-message
attack. Rather, it demonstrates the importance of auditing domain parameter and
public key generation.
I MPLEMENTATION ATTACKS. ANSI X9.62 does not address attacks that could be
launched against implementations of ECDSA such as timing attacks (Kocher [53]),
differential fault analysis (Boneh, DeMillo and Lipton [13]), differential power analysis
(Kocher, Jaffe and Jun [54]), and attacks which exploit weak random or pseudoran-
dom number generators (Kelsey et al. [48]).
9 Implementation Considerations
Before implementing ECDSA, several basic choices have to be made including:
There are many factors that can influence the choices made. All of these must be
considered simultaneously in order to arrive at the best solution for a particular ap-
plication. The factors include:
Security considerations.
Suitability of methods available for optimizing finite field arithmetic (addition, mul-
tiplication, squaring, and inversion).
Suitability of methods available for optimizing elliptic curve arithmetic (point addi-
tion, point doubling, and scalar multiplication).
Application platform (software, hardware, or firmware).
Constraints of a particular computing environment (e.g., processor speed, stor-
age, code size, gate count, power consumption).
Constraints of a particular communications environment (e.g., bandwidth, re-
sponse time).
10 Interoperability Considerations
The goals of cryptographic standards are twofold:
10.1 ECDSA Standards
Among the standards and draft standards which specify ECDSA, the ones which
have been officially approved by their respective accredited organizations are ANSI
X9.62 [3], FIPS 186-2 [74], IEEE 1363-2000 [39], and ISO 14888-3 [42]. ECDSA has
also been standardized by the Standards for Efficient Cryptography Group (SECG)
[103], which is a consortium of companies formed to address potential interoperabil-
ity problems with cryptographic standards.
The salient features of these standards are described first, and then the standards
are compared with regards to their compatibility with each other. This is followed by
a brief overview of some other standards that specify or use ECDSA.
C ORE ECDSA S TANDARDS.
1. ANSI X9.62: This project began in 1995 and was adopted as an official ANSI
standard in January 1999. The primary objectives of ANSI X9.62 were to achieve
a high level of security and interoperability. The underlying field is restricted to be-
ing a prime finite field or a binary finite field . The elements of may
be represented using a polynomial or a normal basis over . If a polynomial
basis is desired, ANSI X9.62 mandates that the reduction polynomial be an irre-
ducible trinomial, provided one exists, and an irreducible pentanomial otherwise.
To facilitate interoperability, a specific reduction polynomial is recommended for
each field . If a normal basis is desired, ANSI X9.62 mandates that a specific
Gaussian normal basis be used. The
primary security requirement imposed on
elliptic curves
in ANSI X9.62 is that , the order of the base point ¡ , be greater
than ~ . Elliptic curves may be either be selected arbitrarily (subject to the se-
curity constraints mentioned in
5.1) or verifiably at random (using the procedure
described in
5.3). ANSI X9.62 defines a mandatory octet string representation
for elliptic points in either compressed, uncompressed, or hybrid form. Optional
ASN.1 (Abstract Syntax Notation One) syntax is provided for unambiguously de-
scribing domain parameters, public keys, and signatures.
2. FIPS 186-2: In May 1997, NIST announced plans to revise FIPS 186 by includ-
ing RSA and elliptic curve signature algorithms. In December 1998, FIPS 186
was revised to include both the DSA and RSA signature schemes (as specified
in ANSI X9.31 [2]); the revised standard was called FIPS 186-1 [73]. Shortly after
that, in June 1999, NIST presented a list of 15 elliptic curves that were recom-
mended for U.S. Federal Government use. These curves are compliant with the
ANSI X9.62 formats (and therefore also with IEEE 1363-2000 formats) and are
discussed further in
10.2. In February 2000, FIPS 186-1 was revised to include
ECDSA as specified in ANSI X9.62 with the aforementioned recommended ellip-
tic curves; the revised standard is called FIPS 186-2. Ë
3. IEEE 1363-2000: This project was formally approved as an IEEE standard in
August 2000. IEEE 1363’s scope is very broad and includes public-key cryp-
tographic techniques for encryption, key agreement, and signatures based on
the intractability of integer factorization, discrete logarithms in finite fields, and
elliptic curve discrete logarithms. It differs fundamentally from ANSI X9.62 and
FIPS 186-2 in that it does not mandate minimum security requirements (e.g.,
lower bounds on the order of the base point ¡ ) and has an abundance of op-
tions. Consequently, 1363-2000 should neither be viewed as a security standard
nor as an interoperability standard, but rather as a reference for specifications of
a variety of techniques from which applications may select. With regards to the
elliptic curve schemes and, in particular, ECDSA, the underlying field is restricted
to being a prime finite field or a binary finite field . The elements of
may be represented with respect to any polynomial or normal basis over . The
representation of elements as integers and elements as bit strings are
consistent with ANSI X9.62 and FIPS 186-2 conventions.
4. ISO/IEC 14888-3 [42]: This standard contains high-level descriptions of some
signature algorithms including ECDSA, whose description is consistent with that
of ANSI X9.62.
5. SEC 1 [103] AND SEC 2 [104]: SEC 1 describes the ECDSA, and also ellip-
tic curve public-key encryption and key agreement protocols. A specific list of
recommended elliptic curve domain parameters are provided in SEC 2. SEC 1
ECDSA is compliant with ANSI X9.62, except that the former permits some fields
of bitlength less than 160.
1. ISO/IEC 15946 [43]: This draft standard specifies various cryptographic tech-
niques based on elliptic curves including signature schemes, public-key encryp-
tion schemes, and key establishment protocols. ISO/IEC 15946 allows any finite
field, unlike ANSI X9.62, IEEE 1363-2000, and FIPS 186-2 where the underlying Û
ónò Ød,&Ù < <<8|7
óX25242s,&7÷ 7*8ø9 99
æñ¹ò]óô¶õqö ÷jø
ò{2Ú,
+-3ó :¡Û ò ,<Ç
÷ 8ø
u vGwxÜ^x
Ú üÇý
"ëTè}ìïèîü(+-óX:òÝ,<Ç÷8ø]ðò{2Ú%,ÇðÇæñ¹ò]óaôõ]ö ÷ø]ðTó324242,&7÷78ø99 9qðó òØl,&Ù < <<8|7
aú(ç&ßÞVçëTèíüþ
ü-25Ú à òSæö
field is required to be either a prime field or a binary field. It is expected that the
ECDSA description will be consistent with that of ANSI X9.62.
2. IETF PKIX (Internet Engineering Task Force Public Key Infrastructure X.509-
Based): An internet draft [7] profiles the format of ECDSA domain parameters
and public keys for use in X.509 certificates. The formats are consistent with
those present in ANSI X9.62.
3. IETF TLS (Internet Engineering Task Force Transport Layer Security): This is
the IETF’s adoption of SSL (Secure Sockets Layer) which provides confidential-
ity, integrity, and authentication for network connections. ANSI X9.62 ECDSA is
being considered for inclusion as one of the signature algorithms [20].
4. WAP WTLS [110] (Wireless Application Protocol Wireless Transport Layer Se-
curity): Provides transport layer security for an architecture that enables secure
web browsing for mobile devices such as cellular phones, personal device assis-
tants, and pagers. ANSI X9.62 ECDSA is used for authentication.
=
as the solution of an instance of the elliptic curve discrete logarithm problem
using Pollard’s rho algorithm for an appropriately-selected elliptic curve over a
finite field whose order has bitlength ~aB . The correspondence between symmetric
cipher key lengths and field sizes is given in Table 1.
(ii) For prime fields , the prime moduli are of a special type (called generalized
Mersenne numbers) for which modular multiplication can be carried out more
efficiently than in general; see [74] and [101].
(iii) For binary fields , A was chosen so that there exists a Koblitz curve of almost
1 1
prime order over . Since e ÿ 6 divides e 6 whenever U divides A ,
this requirement imposes the condition that A be prime.
R ECOMMENDED E LLIPTIC C URVES. There are three types of elliptic curves:
1. Random elliptic curves over .
2. Koblitz elliptic curves over .
3. Random elliptic curves over .
The parameters of these curves are presented below. In these subsections, parame-
ters are either given in decimal form or in hexadecimal form preceded by ‘0x’. For the
binary fields, the additive and multiplicative identities are simply denoted by K and .
A method for converting between polynomial and normal basis representations for
is given at the end of this section.
U
Random Elliptic Curves Over
U
v v
Curve P-384 (D~ Õ(Ï ~ Õ z~"Ö Pp~ : )
!
'
'
!!
3'
" '
+
'!
' #
$4
1
$
%
&
# +#
#%
*''
0!
'
%
%
)
/##
#(
'
#
#$#
#
+
#
,)
%
#
$ '#
%
$'
+'+#$
#
#(*'
0
+
-
!
'
!
'
.
Curve P-521 (D~ Ò ¥ )
''
'
'
'
!'
'
!
!
'
!
!
!
!#
#$
" #
#
#
$
#%#
#
#
#$
$1 0# #
#
+$ #
#$
&
#
4
#
1
'
!+#
#%#!+##
'2
$1#5
#
##(0#
1
0
#$
)
#
!#
#
#$$4
#
#$
0#$
0$$!
#$1
#
!#
,)
#
%
#
%0#
#
*
#
+
%#1
1
#
'
-
''
'
'
'
$
!
.
The parameters of the (same) Koblitz curve and base point are given in both normal
basis representation (indicated by ¥¦ ) and in polynomial basis representation (indi-
cated by ¥¦N~ ). A method for converting between the two representations is given at
UÈ
the end of this section. The following parameters are given for each Koblitz curve:
A The extension degree of the binary field .
¥¦ An indication of the representation used for the elements of
in accordance with ANSI X9.62.
v
, ¢ The coefficients of the elliptic curve = P7¡=I7 Pp @7 Pp¢ .
7« , =^« The 7 and = coordinates of the base point ¡ .
The (prime) order of ¡ .
The co-factor.
¥¦N~ An indication of the second representation used for the elements
of in accordance with ANSI X9.62.
5~ , ¢~ The coefficients of the (same) elliptic curve using representation ¥¦º~ .
7« , =^« The 7 and = coordinates of the (same) base point ¡ using
representation ¥¦º~ .
Curve K-163
6
78 )
9$:-;<"!6=1>$
:@?BA
C
#
)D+#
%
+
1#$
,)D +
#
1#$
#$
-
'
.
78 2E$<=,-$<'6(:=/#$
:2F
:G . "9
G:<-$<=,-$<'6(:= IHJK1C2L M+L +M/L +M+L M%
N
#N
)
+ /
##
$!
,)
+ +#
'
%
Curve K-233
6
78 )
9$:-;<"!6=1>$
:@?BA
C
#
)D+
$!%
!*
!#'#
*0
#
,)D+ *!
#
'
'$
- '
!
!
'
.
78 2E$<=,-$<'6(:=/#$
:2F
:G . "9
G:<-$<=,-$<'6(:= IHJK1C2L! M+L M3
O
#N
)
+
+
!#$
2
P0
5 #
,)
+'#%
* #%%
#%
##$
UR
Curve K-283
6
78 )
9$:-;<"!6=1>$
:@?BA
C
#
)DD
#
+
#$3 '
/
$
##(!
#
!
$
#
,)DQ
!
+
##(
#
#
$
#(
-
0'
!
!
!
.
78 2E$<=,-$<'6(:=/#$
:2F
:G . "9
G:<-$<=,-$<'6(:=
IHJ
K1C/L M/L!+M+L M/L!+M
O
#N
)
+Q
'
!#
1
!
%$!
3 +#
,)
+R !2
Curve K-409
6
78 )
9$:-;<"!6=1>$
:@?BA
C
#
)DR0#$
!#$
#$
!
#
#3$'
$#
+0$
,)DR
!+
'
'#$3!#
#$
+'
#
#%
#
#
-
$!'$'
'
!
'
'
'
.
78 2E$<=,-$<'6(:=/#$
:2F
:G . "9
G:<-$<=,-$<'6(:= IHJK1C2L'
M+L M3
O
#N
)
+D
$/
#(
1
$
#
'+#$
#S#
,)
+R
+#
#$
'2#
+
!
#
Curve K-571
6
78 )
9$:-;<"!6=1>$
:@?BA
C
#
)DD##$#%'
#T
2#
#
/#$
!#
##%
'
#
#$
/#
U
U
/#
#
,)DO$!##+
#
#
#( #
!
%
/$!##
#$#
%
1
- !
'
'
!
!
$'!
$
!
.
78 2E$<=,-$<'6(:=/#$
:2F
:G . "9
G:<-$<=,-$<'6(:=
IHJ
K1C/L 1M/L M+L!+M/L!+M
O
#N
)
+Q##
$
4
%
!
'
#
#
$#
2##
0#$
#%#
!
,)
+D
$ #
#
4
+
$
$+
####
$2#
#! #$
0#%
$'
Each random elliptic curve over was generated using Algorithm 3. The output
of SHA-1 was interpreted as an element of a binary field represented with a Gaus-
sian normal basis. The parameters of the (same) elliptic curve and base point are
given in both normal basis representation (indicated by ¥¦ ) and in polynomial basis
representation (indicated by ¥¦N~ ). A method for converting between the two repre-
sentations is given at the end of this section. The following parameters are given for
each elliptic curve:
A The extension degree of the binary field .
¥¦ An indication of the representation used for the elements of
in accordance with ANSI X9.62.
§(¨I¨©^ª The seed used to randomly generate the coefficients of the
elliptic curve using Algorithm 3. v
, ¢ The coefficients of the elliptic curve = Pp7R=^7 Pp @7 P¢ .
7« , =^« The 7 and = coordinates of the base point ¡ .
The (prime) order of ¡ .
The co-factor.
¥¦N~ An indication of the second representation used for the
elements of in accordance with ANSI X9.62.
5~ , ¢~ The coefficients of the (same) elliptic curve using
representation ¥¦N~ .
7«¹~ , =^«¶~ The 7 and = coordinates of the (same) base point ¡ using
representation ¥¦N~ .
U
Curve B-163
6 '
78 )9
:-;$<"!6=/>$
:U?VA
C
#
/#(!
#
/
#3
#
) 1
!#
'#$
,)
$
#
##$
-
'
0
.
78 E<=,-$<06(:=+#$
:1F
:G . "
9$G$:<-<=,-$<06(:=
WHJK1C+L M/L M2L M2L M3
# +
+#
3'
#( $!
)
+
#$
,)
+$'#
+!%
!/#
+
Curve B-233
6
78 )9
:-;$<"!6=/>$
:U?VA
C
#
'##$
#%
#$
# !
#%
$!
%
) #
#
%
#
#5 +
#
1
#/#
0$
,)
##!+$ #
%##
%
-
!
.
78 E<=,-$<06(:=+#$
:1F
:G . "
9$G$:<-<=,-$<06(:= IHJ
K1C+L! M/L M
#
+
+
##$$ ##
0
!
)
$!#$+ ##$
10##
!#
+'#
#'#
,)
'
#+#
#
'
'
Curve B-283
6
78 )9
:-;$<"!6=/>$
:U?VA
C
!##
####
# X!0#%
#
%#1
1
#
#$
) Q
#$$'
!!# +#
$ #
,) Q
#
#
#
2!#$$
$#
-
!
.
78 E<=,-$<06(:=+#$
:1F
:G . "
9$G$:<-<=,-$<06(:= ¼
U
WHJK1C+L! M/L!+M2L M/L!/M
# Y#
#
%
3
'
+
#
)
Y
#
+#
!#
+
#
#(
,)
Q
'!2#
#$
#
%$
#
*
#!
Curve B-409
6
78 )9
:-;$<"!6=/>$
:U?VA
C
#$%
$#
'#
# X!
3
+
$'
!
!#%
+#
#
) Q
!#
+
#
#*'
/#
!#%#
'
'
,) X
#
##1##
+# !
$
'
2
#
$!
-
'!
!
!$
!
0
.
78 E<=,-$<06(:=+#$
:1F
:G . "
9$G$:<-<=,-$<06(:= IHJ
K1C+L' M/L M
# Q
#
#
##
#%
'
'
'#$
/
+
1#(
)
X!
#
#
+
' #
'
!#%
$
$
$2
#%
##
,)
QZ#(%#
#
##
#
#
%
0'#
Z##$
Curve B-571
6
78 )9
:-;$<"!6=/>$
:U?VA
C'
!#
#
1'
# Q
*
%!
!
1
!
'#
2
*!'$!
0#
#!
) Q
'+#$
#
#
'
#%
'
!+
,) Q
/
#
#%#(
#
+
#
+
#
+#
#
!##+#
!
-
$
'
! 0$
'
!
!
'
$
'
Ë
U
.
78 E<=,-$<06(:=+#$
:1F
:G . "
9$G$:<-<=,-$<06(:=
WHJK1C+L!4M/L M2L!+M/L!/M
# Y
'+
+#
%
!#/#$
'
##
#
!
#$
%
)
Q'#
$
0
$ ##$#
#
%
!##('
' !#
#
+'
,)
Q# #%$
+#
##
3
+#$!#
!
Z##$+#
'
$ #5
!$1
!
P0#
$!!#
6
C
'
+
#
##%#3
6
C
Q
!
'
/#
/#
'
+#$$
#'
6
C
Q
#%
+#
0 ##
+#0#
!
!!#
#
!%
Û
U
6
C
4D$ ##
+#
#
%'
#
#
+##
$#
#$
!#
%
!!
6
C '#
#
6
C
#3 #
##
!
#
#
$/##
6
C
Q $'#$+
$
2
!#%#
#+ $$1
!+
#
6
C
Q#
+
##'%
!#
$+#
1
#
#
6
C
4Q
' !#
##%
#1
#1
/
+
'#
#
%0#*'
#
/#$
11 Conclusions
ECDSA is now an ANSI, IEEE, NIST and ISO standard and is being standard-
ized by several other standards organizations. This paper described the ANSI X9.62
ECDSA, presented rationale for some design decisions, and discussed related secu-
rity, implementation, and interoperability issues. We hope that this paper contributes
to an increased understanding of the properties of ECDSA, and facilitates its use in
practice.
U5=
Acknowledgements
The authors would like to thank the members of the ANSI X9F1 and IEEE P1363
working groups, and, in particular, Jerry Solinas, for their many comments and con-
tributions during the development of the ECDSA standards.
References
1. L. Adleman, J. DeMarrais and M. Huang, “A subexponential algorithm for discrete logarithms
over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields”,
Algorithmic Number Theory, Lecture Notes in Computer Science, 877 (1994), Springer-Verlag,
28-40.
2. ANSI X9.31, Digital Signatures Using Reversible Public Key Cryptography for the Financial Ser-
vices Industry (rDSA), 1998.
3. ANSI X9.62, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve
Digital Signature Algorithm (ECDSA), 1999.
4. ANSI X9.63, Public Key Cryptography for the Financial Services Industry: Elliptic Curve Key
Agreement and Key Transport Protocols, working draft, October 2000.
5. D. Ash, I. Blake and S. Vanstone, “Low complexity normal bases”, Discrete Applied Mathematics,
25 (1989), 191-210.
6. R. Balasubramanian and N. Koblitz, “The improbability that an elliptic curve has subexponential
discrete log problem under the Menezes–Okamoto–Vanstone algorithm”, Journal of Cryptology,
11 (1998), 141-145.
7. L. Bassham, D. Johnson and T. Polk, Representation of Elliptic Curve Digital Signature Algorithm
(ECDSA) Keys and Signatures in Internet X.509 Public Key Infrastructure Certificates, Internet
Draft, June 1999. Available at http://www.ietf.org
8. M. Bellare, R. Canetti and H. Krawczyk, “A modular approach to the design and analysis of
authentication and key exchange protocols”, Proceedings of the 30th Annual ACM Symposium
on the Theory of Computing, 1998.
9. I. Blake, G. Seroussi and N. Smart, Elliptic Curves in Cryptography, Cambridge University Press,
1999.
10. S. Blake-Wilson and A. Menezes, “Entity authentication and authenticated key transport protocols
employing asymmetric techniques”, Proceedings of the 5th International Workshop on Security
Protocols, Lecture Notes in Computer Science, 1361 (1997), 137-158.
11. S. Blake-Wilson and A. Menezes, “Unknown key-share attacks on the station-to-station (STS)
protocol”, Public Key Cryptography – Proceedings of PKC ’99, Lecture Notes in Computer Sci-
ence, 1560 (1999), 154-170.
12. D. Bleichenbacher, “Generating ElGamal signatures without knowing the secret key”, Advances
in Cryptology – Eurocrypt ’96, Lecture Notes in Computer Science, 1070 (1996), Springer-Verlag,
10-18.
13. D. Boneh, R. DeMillo and R. Lipton, “On the importance of checking cryptographic protocols
for faults”, Advances in Cryptology – Eurocrypt ’97, Lecture Notes in Computer Science, 1233
(1997), Springer-Verlag, 37-51.
14. E. Brickell, D. Pointcheval, S. Vaudenay and M. Yung, “Design validations for discrete logarithm
based signature schemes”, Public Key Cryptography – Proceedings of PKC 2000, Lecture Notes
in Computer Science, 1751 (2000), 276-292.
15. D. Brown, “The exact security of ECDSA”, Technical report CORR 2000-54, Dept. of C&O, Uni-
versity of Waterloo, 2000. Available from http://www.cacr.math.uwaterloo.ca
[@\
16. M. Brown, D. Cheung, D. Hankerson, J. Hernandez, M. Kirkup and A. Menezes, “PGP in con-
strained wireless devices”, Proceedings of the Ninth USENIX Security Symposium, 2000, 247-
261.
17. M. Brown, D. Hankerson, J. Hernandez and A. Menezes, “Software implementation of the NIST
elliptic curves over prime fields”, Proceedings of RSA 2001, 2001, to appear.
18. Certicom ECC Challenge, November 1997, http://www.certicom.com
19. D. Chaum, J.-H. Evertse and J. van de Graaf, “An improved protocol for demonstrating posses-
sion of discrete logarithms and some generalizations”, Advances in Cryptology – Eurocrypt ’87,
Lecture Notes in Computer Science, 304, Springer-Verlag, 1988, 127-141.
20. T. Dierks and B. Anderson, ECC Cipher Suites for TLS, Internet Draft, March 1998. Available at
http://www.ietf.org
21. W. Diffie, P. van Oorschot and M. Wiener, “Authentication and authenticated key exchanges”,
Designs, Codes and Cryptography, 2 (1992), 107-125.
22. H. Dobbertin, A. Bosselaers and B. Preneel, “RIPEMD-160: A strengthened version of RIPEMD”,
Fast Software Encryption – FSE ’96, Lecture Notes in Computer Science, 1039 (1996), Springer-
Verlag, 71-82.
23. T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms”,
IEEE Transactions on Information Theory, 31 (1985), 469-472.
24. A. Enge, Elliptic Curves and Their Applications to Cryptography — An Introduction, Kluwer Aca-
demic Publishers, 1999.
25. A. Escott, J. Sager, A. Selkirk and D. Tsapakidis, “Attacking elliptic curve cryptosystems using
the parallel Pollard rho method”, CryptoBytes – The Technical Newsletter of RSA Laboratories,
volume 4, number 2, Winter 1999, 15-19. Also available at http://www.rsasecurity.com
26. M. Fouquet, P. Gaudry and R. Harley, “On Satoh’s algorithm and its implementation”, preprint,
2000.
27. G. Frey, “How to disguise an elliptic curve (Weil descent)”, talk at ECC ’98. Slides available at
http://www.cacr.math.uwaterloo.ca
28. G. Frey, “Applications of arithmetical geometry to cryptographic constructions”, Proceedings of
the Fifth International Conference on Finite Fields and Applications, to appear.
29. G. Frey and H. Rück, “A remark concerning ] -divisibility and the discrete logarithm in the divisor
class group of curves”, Mathematics of Computation, 62 (1994), 865-874.
30. S. Galbraith and N. Smart, “A cryptographic application of Weil descent”, Codes and Cryptogra-
phy, Lecture Notes in Computer Science, 1746 (1999), Springer-Verlag, 191-200.
31. R. Gallant, R. Lambert and S. Vanstone, “Improving the parallelized Pollard lambda search on
binary anomalous curves”, to appear in Mathematics of Computation.
32. P. Gaudry, F. Hess and N. Smart, “Constructive and destructive facets of Weil descent on el-
liptic curves”, preprint, January 2000. Available from http://www.hpl.hp.com/techreports/2000/
HPL-2000-10.html
33. S. Goldwasser, S. Micali and R. Rivest, “A digital signature scheme secure against adaptive
chosen message attacks”, SIAM Journal on Computing, 17 (1988), 281-308.
34. D. Gordon, “Designing and detecting trapdoors for discrete log cryptosystems”, Advances in
Cryptology – Crypto ’92, Lecture Notes in Computer Science, 740 (1993), Springer-Verlag, 66-
75.
35. D. Gordon, “Discrete logarithms in ^`_badcfe using the number field sieve”, SIAM Journal on Discrete
Mathematics, 6 (1993), 124-138.
36. D. Gordon, “A survey of fast exponentiation methods”, Journal of Algorithms, 27 (1998), 129-146.
37. D. Hankerson, J. Hernandez and A. Menezes, “Software implementation of elliptic curve cryptog-
raphy over binary fields”, Proceedings of CHES 2000, to appear.
38. T. Hasegawa, J. Nakajima and M. Matsui, “A practical implementation of elliptic curve cryptosys-
tems over ^`_badcfe on a 16-bit microcomputer”, Public Key Cryptography – Proceedings of PKC
’98, Lecture Notes in Computer Science, 1431 (1998), 182-194.
[@g
39. IEEE 1363, Standard Specifications for Public-Key Cryptography, 2000. http://grouper.ieee.org/
groups/1363/index.html
40. ISO/IEC 9798-3, Information Technology – Security Techniques – Entity Authentication Mecha-
nisms – Part 3: Entity authentication Using a Public-Key Algorithm (first edition), 1993.
41. ISO/IEC 11770-3, Information Technology – Security Techniques – Key Management – Part 3:
Mechanisms Using Asymmetric Techniques, 1999.
42. ISO/IEC 14888-3, Information Technology – Security Techniques – Digital Signatures with Ap-
pendix – Part 3: Certificate Based-Mechanisms, 1998.
43. ISO/IEC 15946, Information Technology – Security Techniques – Cryptographic Techniques
Based on Elliptic Curves, Committee Draft (CD), 1999.
44. T. Izu, J. Kogure, M. Noro and K. Yokoyama, “Efficient implementation of Schoof’s algorithm”, Ad-
vances in Cryptology – Asiacrypt ’98, Lecture Notes in Computer Science, 1514 (1999), Springer-
Verlag, 66-79.
45. M. Jacobson, N. Koblitz, J. Silverman, A. Stein and E. Teske, “Analysis of the xedni calculus
attack”, Designs, Codes and Cryptography, 20 (2000), 41-64.
46. D. Johnson, “Key validation”, Contribution to ANSI X9F1 working group, 1997.
47. B. Kaliski and Y. Yin, “Storage-efficient finite field basis conversion”, Selected Areas in Cryptog-
raphy, Lecture Notes in Computer Science, 1556 (1999), Springer-Verlag, 81-93.
48. J. Kelsey, B. Schneier, D. Wagner and C. Hall, “Cryptanalytic attacks on pseudorandom number
generators”, Fast Software Encryption – FSE ’98, Lecture Notes in Computer Science, 1372
(1998), Springer-Verlag, 168-188.
49. N. Koblitz, “Elliptic curve cryptosystems”, Mathematics of Computation, 48 (1987), 203-209.
50. N. Koblitz, “Constructing elliptic curve cryptosystems in characteristic 2”, Advances in Cryptology
– Crypto ’90, Lecture Notes in Computer Science, 537 (1991), Springer-Verlag, 156-167.
51. N. Koblitz, “CM-curves with good cryptographic properties”, Advances in Cryptology – Crypto
’91, Lecture Notes in Computer Science, 576 (1992), Springer-Verlag, 279-287.
52. N. Koblitz, A Course in Number Theory and Cryptography, 2nd edition, Springer-Verlag, 1994.
53. P. Kocher, “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems”,
Advances in Cryptology – Crypto ’96, Lecture Notes in Computer Science, 1109 (1996), Springer-
Verlag, 104-113.
54. P. Kocher, J. Jaffe and B. Jun, “Differential power analysis”, Advances in Cryptology – Crypto ’99,
Lecture Notes in Computer Science, 1666 (1999), Springer-Verlag, 388-397.
55. G. Lay and H. Zimmer, “Constructing elliptic curves with given group order over large finite fields”,
Algorithmic Number Theory, Lecture Notes in Computer Science, 877 (1994), Springer-Verlag,
250-263.
56. R. Lercier, “Computing isogenies in hUikj ”, Algorithmic Number Theory, Lecture Notes in Computer
Science, 1122 (1996), Springer-Verlag, 197-212.
57. R. Lercier, “Finding good random elliptic curves for cryptosystems defined h i j ”, Advances in
Cryptology – Eurocrypt ’97, Lecture Notes in Computer Science, 1233 (1997), Springer-Verlag,
379-392.
58. R. Lercier and F. Morain, “Counting the number of points on elliptic curves over finite fields:
strategies and performances”, Advances in Cryptology – Eurocrypt ’95, Lecture Notes in Com-
puter Science, 921 (1995), Springer-Verlag, 79-94.
59. R. Lidl and H. Niederreitter, Introduction to Finite Fields and their Applications, Cambridge Uni-
versity Press, 1984.
60. C. Lim and P. Lee, “A key recovery attack on discrete log-based schemes using a prime order
subgroup”, Advances in Cryptology – Crypto ’97, Lecture Notes in Computer Science, 1294
(1997), 249-263.
61. R. McEliece, Finite Fields for Computer Scientists and Engineers, Kluwer Academic Publishers,
Boston, 1987.
[l
62. W. Meier and O. Staffelbach, “Efficient multiplication on certain nonsupersingular elliptic curves”,
Advances in Cryptology – Crypto ’92, Lecture Notes in Computer Science, 740 (1993), Springer-
Verlag, 333-344.
63. A. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, Boston,
1993.
64. A. Menezes, T. Okamoto and S. Vanstone, “Reducing elliptic curve logarithms to logarithms in a
finite field”, IEEE Transactions on Information Theory, 39 (1993), 1639-1646.
65. A. Menezes, P. van Oorschot and S. Vanstone, Handbook of Applied Cryptography, CRC Press,
1997.
66. A. Menezes and M. Qu, “Analysis of the Weil descent attack of Gaudry, Hess and Smart”, Pro-
ceedings of RSA 2001, 2001, to appear.
67. V. Miller, “Uses of elliptic curves in cryptography”, Advances in Cryptology – Crypto ’85, Lecture
Notes in Computer Science, 218 (1986), Springer-Verlag, 417-426.
68. F. Morain, “Building cyclic elliptic curves modulo large primes”, Advances in Cryptology – Euro-
crypt ’91, Lecture Notes in Computer Science, 547 (1991), Springer-Verlag, 328-336.
69. R. Mullin, I. Onyszchuk, S. Vanstone and R. Wilson, “Optimal normal bases in ^`_badcm
e ”, Discrete
Applied Mathematics, 22 (1988/89), 149-161.
70. National Institute of Standards and Technology, Digital Signature Standard, FIPS Publication 186,
1994.
71. National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS Publication
180-1, 1995.
72. National Institute of Standards and Technology, Entity Authentication using Public Key Cryptog-
raphy, FIPS Publication 196, 1997.
73. National Institute of Standards and Technology, Digital Signature Standard, FIPS Publication
186-1, 1998.
74. National Institute of Standards and Technology, Digital Signature Standard, FIPS Publication
186-2, 2000.
75. National Institute of Standards and Technology, Advanced Encryption Standard, work in progress.
76. National Institute of Standards and Technology, “Descriptions of SHA-256, SHA-384, and SHA-
512”, preprint, 2000.
77. National Security Agency, “SKIPJACK and KEA algorithm specification”, Version 2.0, May 29
1998.
78. K. Nyberg and R. Rueppel, “A new signature scheme based on the DSA giving message recov-
ery”, 1st ACM Conference on Computer and Communications Security, 1993, 58-61.
79. K. Nyberg and R. Rueppel, “Message recovery for signature schemes based on the discrete
logarithm problem”, Designs, Codes and Cryptography, 7 (1996), 61-81.
80. P. van Oorschot and M. Wiener, “Parallel collision search with cryptanalytic applications”, Journal
of Cryptology, 12 (1999), 1-28.
81. S. Pohlig and M. Hellman, “An improved algorithm for computing logarithms over ^`_badc(e and its
cryptographic significance”, IEEE Transactions on Information Theory, 24 (1978), 106-110.
82. D. Pointcheval and J. Stern, “Security proofs for signature schemes”, Advances in Cryptology –
Eurocrypt ’96, Lecture Notes in Computer Science, 1070 (1993), Springer-Verlag, 387-398.
83. J. Pollard, “Monte Carlo methods for index computation mod c ”, Mathematics of Computation, 32
(1978), 918-924.
84. M. Rabin, “Digitalized signatures and public-key functions as intractable as factorization”,
MIT/LCS/TR-212, MIT Laboratory for Computer Science, 1979.
85. R. Rivest, A. Shamir and L. Adleman, “A method for obtaining digital signatures and public-key
cryptosystems”, Communications of the ACM, 21 (1978), 120-126.
86. R. Rueppel, A. Lenstra, M. Smid, K. McCurley, Y. Desmedt, A. Odlyzko and P. Landrock, “The
Eurocrypt ’92 controversial issue – Trapdoor primes and moduli”, Advances in Cryptology – Eu-
rocrypt ’92, Lecture Notes in Computer Science, 658 (1993), Springer-Verlag, 194-199.
[fn
87. T. Satoh, “The canonical lift of an ordinary elliptic curve over a prime field and its point counting”,
preprint, 1999.
88. T. Satoh and K. Araki, “Fermat quotients and the polynomial time discrete log algorithm for
anomalous elliptic curves”, Commentarii Mathematici Universitatis Sancti Pauli, 47 (1998), 81-
92.
89. O. Schirokauer, “Discrete logarithms and local units”, Philosophical Transactions of the Royal
Society of London A, 345 (1993), 409-423.
90. C. Schnorr, “Efficient signature generation by smart cards”, Journal of Cryptology, 4 (1991), 161-
174.
91. R. Schoof, “Elliptic curves over finite fields and the computation of square roots mod c ”, Mathe-
matics of Computation, 44 (1985), 483-494.
92. R. Schroeppel, H. Orman, S. O’Malley and O. Spatscheck, “Fast key exchange with elliptic curve
systems”, Advances in Cryptology – Crypto ’95, Lecture Notes in Computer Science, 963 (1995),
Springer-Verlag, 43-56.
93. I. Semaev, “Evaluation of discrete logarithms in a group of c -torsion points of an elliptic curve in
characteristic c ”, Mathematics of Computation, 67 (1998), 353-356.
94. J. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, 1986.
95. J. Silverman, “The xedni calculus and the elliptic curve discrete logarithm problem”, Designs,
Codes and Cryptography, 20 (2000), 5-40.
96. J. Silverman and J. Suzuki, “Elliptic curve discrete logarithms and the index calculus”, Advances
in Cryptology – Asiacrypt ’98, Lecture Notes in Computer Science, 1514 (1999), Springer-Verlag,
110-125.
97. R. Silverman and J. Stapleton, Contribution to ANSI X9F1 working group, 1997.
98. N. Smart, “The discrete logarithm problem on elliptic curves of trace one”, Journal of Cryptology,
12 (1999), 193-196.
99. M. Smid and D. Branstad, “Response to Comments on the NIST Proposed Digital Signature
Standard”, Advances in Cryptology – Crypto ’92, Lecture Notes in Computer Science, 740 (1993),
Springer-Verlag, 76-88.
100. J. Solinas, “An improved algorithm for arithmetic on a family of elliptic curves”, Advances in Cryp-
tology – Crypto ’97, Lecture Notes in Computer Science, 1294 (1997), Springer-Verlag, 357-371.
101. J. Solinas, “Generalized Mersenne numbers”, Technical report CORR 99-39, Dept. of C&O, Uni-
versity of Waterloo, 1999. Available from http://www.cacr.math.uwaterloo.ca
102. J. Solinas, “Efficient arithmetic on Koblitz curves”, Designs, Codes and Cryptography, 19 (2000),
195-249.
103. Standards for Efficient Cryptography Group, SEC 1: Elliptic Curve Cryptography, version 1.0,
2000. Available at http://www.secg.org
104. Standards for Efficient Cryptography Group, SEC 2: Recommended Elliptic Curve Domain Pa-
rameters, version 1.0, 2000. Available at http://www.secg.org
105. A. Stein, “Equivalences between elliptic curves and real quadratic congruence function fields”,
Journal de Théorie des Nombres de Bordeaux, 9 (1997), 75-95.
106. A. Stein, V. Müller and C. Thiel, “Computing discrete logarithms in real quadratic congruence
function fields of large genus”, Mathematics of Computation, 68 (1999), 807-822.
107. E. Teske, “Speeding up Pollard’s rho method for computing discrete logarithms”, Algorithmic
Number Theory, Lecture Notes in Computer Science, 1423 (1998), Springer-Verlag, 541-554.
108. S. Vanstone, “Responses to NIST’s Proposal”, Communications of the ACM, 35, July 1992, 50-52
(communicated by John Anderson).
109. S. Vaudenay, “Hidden collisions on DSS”, Advances in Cryptology – Crypto ’96, Lecture Notes in
Computer Science, 1109 (1996), Springer-Verlag, 83-88.
110. WAP WTLS, Wireless Application Protocol Wireless Transport Layer Security Specification, Wire-
less Application Protocol Forum, February 1999. Drafts available at http://www.wapforum.org
[
o
111. M. Wiener and R. Zuccherato, “Faster attacks on elliptic curve cryptosystems”, Selected Areas
in Cryptography, Lecture Notes in Computer Science, 1556 (1999), Springer-Verlag, 190-200.
112. E. De Win, S. Mister, B. Preneel and M. Wiener, “On the performance of signature schemes
based on elliptic curves”, Algorithmic Number Theory, Lecture Notes in Computer Science, 1423
(1998), Springer-Verlag, 252-266.
113. R. Zuccherato, “The equivalence between elliptic curve and quadratic function field discrete log-
arithms in characteristic 2”, Algorithmic Number Theory, Lecture Notes in Computer Science,
1423 (1998), Springer-Verlag, 621-638.
[@[
www.certicom.com
Sales Support:
Tel: 510.780.5400
Fax: 510.780.5401
Email: sales@certicom.com
Investor Inquiries:
Contact Starla Ackley
510-780-5404
Email: sackley@certicom.com
p
c Certicom Corporation 2001
cps wp 001-1